06-13-2013 02:25 AM - edited 03-11-2019 06:57 PM
Hi,
I would like to config "when host X on vlanX goes to a network that is across an ipsec tunnel, for which vlanX network is not in the encryption domains, translate host X address to that of the asa in a network that is part of the crypto domain".
Interface vlan544 (172.16.80.0/24) is the local encryption domain, and 10.1.0.0/29 holds some monitoring servers that should not be part of the encryption domain, but rather get it's source address translated to that of the firewall in 172.16.80.0/24. Here's how I did:
# Vlan522 for 10.1.0.0/29, need to somehow have a specific nat here I guess that falls between the no nat and the generic "nat the rest to the global)
nat (vlan522) 0 access-list vlan522_nat0_outbound
nat (vlan522) 1 0.0.0.0 0.0.0.0
# Next, I defined an ACL to match the source network (10.1.0.0/29) with the remote encryption domain (172.18.0.0/24):
access-list prtg-to-slott-net extended permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
# Removing the global nat on vlan522:
no nat (vlan522) 1 0.0.0.0 0.0.0.0
# Set up the newly defined access-list as nat entry 1 instead
nat (vlan522) 1 access-list prtg-to-slott-net
# Re-adding the catch all nat but this time as rule number #2
nat (vlan522) 2 0.0.0.0 0.0.0.0
This obviously didn't work, the second (number 2) rule is never hit. What am I doing wrong?
Solved! Go to Solution.
06-13-2013 02:48 AM
Hi,
I got a bit confused reading that
So did I understand correctly that the situation is the following
In this case you should probably do the following
access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
global (outside) 100 172.16.80.254
nat (vlan522) 100 access-list L2LVPN-POLICYPAT
There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA
packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389
The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.
- Jouni
06-13-2013 02:48 AM
Hi,
I got a bit confused reading that
So did I understand correctly that the situation is the following
In this case you should probably do the following
access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
global (outside) 100 172.16.80.254
nat (vlan522) 100 access-list L2LVPN-POLICYPAT
There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA
packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389
The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.
- Jouni
06-13-2013 02:58 AM
Jouni, you're really picking my questions and answering them one by one. You provide good short explanation, I now see the connection between the nat (int) VALUE and global (int) VALUE.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: